Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label ICedID. Show all posts

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Quantum Ransomware was Detected in Several Network Attacks

 

Quantum ransomware, originally spotted in August 2021, has been found carrying out fast attacks which expand quickly, leaving defenders with little time to react. The assault began with the installation of an IcedID payload on a user endpoint, followed by the launch of Quantum ransomware 3 hours and 44 minutes later. It was identified by DFIR Report researchers as one of the fastest ransomware attacks it had ever seen. IcedID and ISO files have recently been utilized in other attacks, as these files are great for getting past email security safeguards.

According to Mandiant's M-Trends 2022 study, the threat actors began encrypting the victim's data only 29 hours after the first breach in a Ryuk ransomware assault in October 2020. The median global dwell period for ransomware is around 5 days. However, once the ransomware has been installed, the data of the victim may be encrypted in minutes. According to a recent analysis from Splunk, ransomware encrypts data in an average of 43 minutes, with the fastest encryption time being less than 6 minutes. 

The IcedID payload was stored within an ISO image which was presumably distributed by email in the examined Quantum ransomware outbreak. The malware was disguised as a "document" file, which was an LNK file designed to run a DLL (IcedID). Several discovery activities were run when the DLL was executed, utilizing various built-in Windows functions, and a scheduled job was constructed to ensure persistence. 

Cobalt Strike was installed into the victim system about two hours after the first breach, allowing the attackers to begin 'hands-on-keyboard' behavior. The fraudsters then began network reconnaissance, which included identifying each host in the environment as well as the active directory structure of the target organization. After releasing the memory of LSASS, the intruders were able to steal Windows domain credentials and spread laterally via the network. 

Cobalt Strike was also used by the attackers to collect credentials and test them for remote WMI detection tasks. The credentials enabled the adversary to log in to a target server through the remote desktop protocol (RDP), from which they attempted to distribute Cobalt Strike Beacon. The malicious actors then used RDP to access other servers in the system, where they prepared to deliver Quantum ransomware per each host. Threat actors eventually used WMI and PsExec to deliver the Quantum ransomware payload and encrypt devices via WMI and PsExec. 

The Quantum Locker ransomware is a rebranded version of the MountLocker malware, which first appeared in September 2020. Since then, the ransomware gang has gone by several names, including AstroLocker, XingLocker, and Quantum Locker, which is now in its current phase. 

While the DFIR report claims since no data exfiltration activity was detected in the assault they investigated, researchers claim the ransom demands for this gang fluctuate based on the victim, with some attacks seeking $150,000 in exchange for a decryptor. Quantum Locker, unlike its prior versions, is not a highly active operation, with only a few attacks per month.

QBot Malware Replaces IcedID in Malspam Campaigns

 

QBot malware is making a comeback replacing IcedID in Malspam campaigns. Security researchers have noticed that malware distributors are once again rotating the payload, switching between Trojans which is an intermediary stage in a long transition chain. In one case, Tango appears to be with QBot and IcedID, two banking Trojans that are often seen delivering various ransomware strains as the final payload in an attack.

In February, IcedID was a new malware coming from URLs that served QBot. Brad Duncan of Palo Alto Networks spotted the changes and noted in his analysis at the time: “HTTPS URL ends with /ds/2202.gif, generated by Excel macro, which would normally distribute cacobet, but today it delivered IcedID”. 

James Quinn, a threat researcher at Binary Defense also makes the same observation in a blog post in March, as the company unearthed a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.

IcedID was first discovered as a banking trojan in 2017 and soon adjusted its functionality for malware delivery. It has been seen in the past distributing Ransom eXX, Labyrinth, and Aggregor Ransomware. After a gap of about a month and a half, the malware distributor switched the payload back to QBot (aka QakBot), which has been seen in the past delivering ProLock, Egregor, and DoppelPaymer ransomware. 

Malware Researcher and Reverse Engineer reecDeep was the one that noticed the specific switch on Monday, concluding the fact that campaign update relies on XLM macros. Analysis from both binary defense and Brad Duncan on the switch of a malware distributor to deliver IcedID in February 2021 has seen the same trick.

Recently, security researchers at the threatening intelligence firm Intel 471 published details about Ettersilent creating a malicious document, which shows its continued development and ability to bypass multiple security mechanisms (Windows Defender, AMSI, email services). 

A feature of the tool is that it can design malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption. According to Intel 471, many cybercriminal groups have started using Ettersilent services including IcedID, QakBot, Ursnif, and Trickbot.

Cybercriminals Are Using Google URLs as a Weapon to Spread Malware

 

Security researchers at Microsoft warned the organizations of a new phishing campaign, they have been tracking activity where contact forms published on websites are exploited to send malicious links to organizations via emails containing fake legal threats. The emails direct recipients to click on a link to review supposed evidence behind their allegations, but are instead led to downloading IcedID, an info-stealing malware. Microsoft Defender for Office 365 identifies and blocks these emails while shielding enterprises from this threat.

As a precautionary measure, Microsoft reported the threat to Google's security teams to warn them that threat actors are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. Seemingly, the attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.

"Attackers are abusing legitimate infrastructure, such as websites' contact forms, to bypass protections, making this threat highly evasive. Besides, attackers use legitimate URLs, in this case, Google URLs that require targets to sign in with their Google credentials," the Microsoft 365 Defender Threat Intelligence Team stated. 

Microsoft is bothered by the methodology used by threat actors to steal information and has currently detected the criminals using the URLs in an email to deliver IcedID malware. However, it could just as easily be used to deliver other malware.

IcedID is an info-stealing malware that connects to a command-and-control server to download modules that conduct functions like stealing banking credentials and other data. It achieves persistence and downloads additional tools that let remote attackers pursue other malicious actions on a target system, including credential theft, lateral movement, and delivery of additional payloads.

"We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs. We observed an influx of contact form emails targeted at enterprises by means of abusing companies' contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections. As the emails are originating from the recipient's own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft further notes.